Product vision: MCP Control Plane Web Console (canonical) #652

Open
opened 2026-07-10 14:47:20 -05:00 by jcwalker3 · 2 comments
Owner

Canonical product vision — enduring source of truth

This issue is the enduring source of truth for the MCP Control Plane Web Console product vision.

Governance rules (binding)

  1. Implementation phases are sequencing decisions, not scope deletion.
  2. Deferred features remain part of the roadmap unless intentionally removed by a documented, controller-approved decision recorded on this issue.
  3. Child and implementation issues must link back to this vision.
  4. Any scope removed or materially changed must be recorded here with rationale (date, actor, decision).
  5. Closing an implementation issue must not imply the overall vision is complete.
  6. Roadmap/epic issues sequence delivery; they do not shrink this vision.

Related durable records:

  • Roadmap/epic sequencing: see linked roadmap issue (created with this planning package; also #631 implementation umbrella for #632–#651).
  • Foundation MVP: closed #425–#436 (webui/).
  • Orchestration: #628, #626; runtime safety: #630, #610, #615, #584; observability: #606, #607, #612; allocator: #600, #613.

Problem statement

Operators, controllers, and LLM workers lack a single durable MCP Control Plane Web Console that unifies system health, project onboarding, multi-forge connections, AI-provider management, workflow traffic control, session/lease/runtime inventory, conversation and evidence timelines, policy governance, security/RBAC, observability bridges, analytics, and human-attention routing — while Gitea, MCP capability gates, and canonical workflows remain the authority for durable work and mutations.

The closed MVP (#425–#436) and partial epic (#631 + #632–#651) cover only slices. This vision preserves the complete product concept so deferred ideas are never lost when only Phase 1 is scheduled.

Intended product capabilities (complete set)

A. MCP system health and process control

  • Readiness, liveness, uptime, versions (app, git SHA, dependency versions)
  • Dependency status (Gitea, control-plane DB, MCP namespaces, optional providers)
  • Degraded-state explanations (why not ready; what is still safe)
  • Sanctioned restart, stop, start, and graceful reload (never ad-hoc pkill — see #630)
  • Maintenance mode and emergency fail-closed controls

B. Operational dashboards and workflow statistics

  • Operator home dashboard
  • Workflow statistics: throughput, stage durations, blocker rates, queue depth
  • Traffic-control visualization of concurrent vs blocked work

C. Project registry, detail, and guided onboarding

  • Project registry and project-detail management
  • Guided onboarding of new repositories and projects
  • Repository discovery and validation
  • Manifests, labels, branch protections, test commands, workflow roles
  • Project readiness checks

D. External system connections

  • Gitea and GitHub connections
  • Sentry and GlitchTip connections
  • OpenAI, Anthropic, Gemini, xAI, Ollama, local OpenAI-compatible endpoints, and other AI providers
  • Connection health, scopes, expiration, validation, and credential rotation (server-side secrets only)

E. Requests and workflow control plane

  • Request creation, intent parsing, workflow previews
  • Approval, cancellation, pause, and reprioritization
  • Autonomous selection of the next valid workflow action (via allocator; never raw incident auto-assign)
  • Workflow queue and traffic-control views
  • States: ready, active, blocked, waiting, review, controller, reconciliation, complete, stale, abandoned
  • Dependency awareness and safe concurrent work

F. Sessions, runtime, leases, locks, worktrees

  • Sessions, capabilities, leases, locks, namespaces, runtimes, worktrees
  • Stale-session recovery, lease adoption, lock clearing, worktree rebinding, quarantine, and cleanup
  • Contamination detection (e.g. manual daemon kill) and fail-closed clean claims

G. Conversations, timelines, search, retention

  • Internal conversation browsing
  • Tool-call, decision, command, evidence, error, state-transition, and handoff timelines
  • Search across conversations, issues, PRs, sessions, events, and projects
  • Secret redaction, retention, access controls, and transcript export

H. Canonical linkage

  • Canonical issue, PR, workflow-ledger, and live-state linkage
  • Deep links to Gitea (and GitHub when connected)

I. AI-assisted operational insights

  • Summaries, blocker explanations, duplicate detection, recurring-failure analysis
  • Risk detection, workflow-health scoring, next-work recommendations
  • Evidence, confidence, and inference labeling for all AI insights (no uncited claims)

J. Observability bridges

  • Sentry/GlitchTip error grouping, regression detection, deployment correlation
  • Error-to-issue workflows (bridge only; Gitea remains durable work record)

K. Notifications and human attention

  • Human-attention routing aligned with attention boundary (#628)
  • Email, Slack, webhooks, digests, controller alerts
  • No alert spam for routine automated handoffs

L. Policy, guardrails, governance

  • Workflow policy and guardrail viewing
  • Versioned policy editing, validation, simulation, approval, rollback, audit history
  • Hard safety rails never overridable by soft policy (self-merge ban, branches-only, etc.)

M. Security and compliance

  • Authentication, SSO, RBAC, project permissions, auditor roles
  • Step-up authentication for privileged actions
  • Encryption, rate limiting, CSRF protection, privileged-action approval
  • Audit logs and immutable records for sensitive operations

N. Cost and performance analytics

  • Model usage, token usage, latency, success rate, cost, model-performance analytics
  • Human-intervention metrics and workflow-efficiency reporting
  • Missing metrics shown as unknown, never fabricated zeros

O. Future extension points (preserved even if unscheduled)

  • Multi-org / multi-tenant operator orgs
  • Plugin/extension marketplace for provider adapters
  • Mobile-responsive operator UI
  • Webhook inbound event bus beyond Sentry/GlitchTip
  • Advanced simulation of full multi-agent traffic
  • Cost budgets and automatic model-routing policies (controller-approved only)
  • Read replicas / HA console deployment topology
  • Customer-facing portal (explicitly out of MVP; preserved as future product fork decision)
  • GraphQL or public API for external automations (if ever authorized)
  • Offline/air-gapped console mode
  • Accessibility certification track (WCAG)
  • Localization
  • Blue/green console deploys with feature flags

Authority model (non-negotiable)

Layer Owns
Gitea (and GitHub when used as forge) Durable issues/PRs/comments/reviews/labels
Control-plane DB / allocator Sessions, assignment, leases, coordination
MCP capability gates Mutation authorization
Web Console Projection + gated, audited privileged actions
Sentry/GlitchTip Observe; bridge creates durable Gitea work
Canonical handoffs Stage continuation (#626/#628)

Console never invents policy and never bypasses gates.

Non-goals (product-level)

  • Public internet deployment without access controls
  • Replacing Gitea as system of record
  • Ungated browser approve/merge/close
  • Manual host process killing as recovery
  • Treating raw monitoring incidents as allocator work items
  • Storing provider secrets in the browser or git

Scope-change log

Date Actor Change Rationale
2026-07-10 author intake (jcwalker3 / prgs-author) Vision issue created Preserve complete product concept separate from phase sequencing

(Append only; removals require controller approval entry.)

Implementation linkage

  • Do not implement features on this issue.
  • Sequencing: roadmap issue + #631 children.
  • First batch (already exists): #632–#641 Phase 1 implementation issues.
  • Later batches: #642–#651 and future issues created from the Preserved but not yet scheduled roadmap section.

Acceptance criteria (for this vision record)

  1. Complete capability areas A–O are listed here.
  2. Governance rules above are explicit.
  3. Roadmap and implementation issues link here.
  4. Deferred ideas remain visible until converted or controller-rejected here.
  5. No phase table on this issue is allowed to delete capabilities (phases live on roadmap).

Canonical issue state

STATE: vision-active
WHO_IS_NEXT: controller (triage/ordering) / author (implementation of linked children only)
NEXT_ACTION: Use roadmap for sequencing; implement via child issues; update this issue only for vision changes
## Canonical product vision — enduring source of truth **This issue is the enduring source of truth for the MCP Control Plane Web Console product vision.** ### Governance rules (binding) 1. **Implementation phases are sequencing decisions, not scope deletion.** 2. **Deferred features remain part of the roadmap** unless intentionally removed by a documented, controller-approved decision recorded on this issue. 3. **Child and implementation issues must link back to this vision.** 4. **Any scope removed or materially changed must be recorded here with rationale** (date, actor, decision). 5. **Closing an implementation issue must not imply the overall vision is complete.** 6. **Roadmap/epic issues sequence delivery; they do not shrink this vision.** Related durable records: * Roadmap/epic sequencing: see linked roadmap issue (created with this planning package; also #631 implementation umbrella for #632–#651). * Foundation MVP: closed #425–#436 (`webui/`). * Orchestration: #628, #626; runtime safety: #630, #610, #615, #584; observability: #606, #607, #612; allocator: #600, #613. --- ## Problem statement Operators, controllers, and LLM workers lack a single durable **MCP Control Plane Web Console** that unifies system health, project onboarding, multi-forge connections, AI-provider management, workflow traffic control, session/lease/runtime inventory, conversation and evidence timelines, policy governance, security/RBAC, observability bridges, analytics, and human-attention routing — while Gitea, MCP capability gates, and canonical workflows remain the authority for durable work and mutations. The closed MVP (#425–#436) and partial epic (#631 + #632–#651) cover only slices. **This vision preserves the complete product concept so deferred ideas are never lost when only Phase 1 is scheduled.** ## Intended product capabilities (complete set) ### A. MCP system health and process control * Readiness, liveness, uptime, versions (app, git SHA, dependency versions) * Dependency status (Gitea, control-plane DB, MCP namespaces, optional providers) * Degraded-state explanations (why not ready; what is still safe) * Sanctioned restart, stop, start, and graceful reload (never ad-hoc `pkill` — see #630) * Maintenance mode and emergency fail-closed controls ### B. Operational dashboards and workflow statistics * Operator home dashboard * Workflow statistics: throughput, stage durations, blocker rates, queue depth * Traffic-control visualization of concurrent vs blocked work ### C. Project registry, detail, and guided onboarding * Project registry and project-detail management * Guided onboarding of new repositories and projects * Repository discovery and validation * Manifests, labels, branch protections, test commands, workflow roles * Project readiness checks ### D. External system connections * Gitea and GitHub connections * Sentry and GlitchTip connections * OpenAI, Anthropic, Gemini, xAI, Ollama, local OpenAI-compatible endpoints, and other AI providers * Connection health, scopes, expiration, validation, and credential rotation (server-side secrets only) ### E. Requests and workflow control plane * Request creation, intent parsing, workflow previews * Approval, cancellation, pause, and reprioritization * Autonomous selection of the next valid workflow action (via allocator; never raw incident auto-assign) * Workflow queue and traffic-control views * States: ready, active, blocked, waiting, review, controller, reconciliation, complete, stale, abandoned * Dependency awareness and safe concurrent work ### F. Sessions, runtime, leases, locks, worktrees * Sessions, capabilities, leases, locks, namespaces, runtimes, worktrees * Stale-session recovery, lease adoption, lock clearing, worktree rebinding, quarantine, and cleanup * Contamination detection (e.g. manual daemon kill) and fail-closed clean claims ### G. Conversations, timelines, search, retention * Internal conversation browsing * Tool-call, decision, command, evidence, error, state-transition, and handoff timelines * Search across conversations, issues, PRs, sessions, events, and projects * Secret redaction, retention, access controls, and transcript export ### H. Canonical linkage * Canonical issue, PR, workflow-ledger, and live-state linkage * Deep links to Gitea (and GitHub when connected) ### I. AI-assisted operational insights * Summaries, blocker explanations, duplicate detection, recurring-failure analysis * Risk detection, workflow-health scoring, next-work recommendations * Evidence, confidence, and inference labeling for all AI insights (no uncited claims) ### J. Observability bridges * Sentry/GlitchTip error grouping, regression detection, deployment correlation * Error-to-issue workflows (bridge only; Gitea remains durable work record) ### K. Notifications and human attention * Human-attention routing aligned with attention boundary (#628) * Email, Slack, webhooks, digests, controller alerts * No alert spam for routine automated handoffs ### L. Policy, guardrails, governance * Workflow policy and guardrail viewing * Versioned policy editing, validation, simulation, approval, rollback, audit history * Hard safety rails never overridable by soft policy (self-merge ban, branches-only, etc.) ### M. Security and compliance * Authentication, SSO, RBAC, project permissions, auditor roles * Step-up authentication for privileged actions * Encryption, rate limiting, CSRF protection, privileged-action approval * Audit logs and immutable records for sensitive operations ### N. Cost and performance analytics * Model usage, token usage, latency, success rate, cost, model-performance analytics * Human-intervention metrics and workflow-efficiency reporting * Missing metrics shown as unknown, never fabricated zeros ### O. Future extension points (preserved even if unscheduled) * Multi-org / multi-tenant operator orgs * Plugin/extension marketplace for provider adapters * Mobile-responsive operator UI * Webhook inbound event bus beyond Sentry/GlitchTip * Advanced simulation of full multi-agent traffic * Cost budgets and automatic model-routing policies (controller-approved only) * Read replicas / HA console deployment topology * Customer-facing portal (explicitly out of MVP; preserved as future product fork decision) * GraphQL or public API for external automations (if ever authorized) * Offline/air-gapped console mode * Accessibility certification track (WCAG) * Localization * Blue/green console deploys with feature flags ## Authority model (non-negotiable) | Layer | Owns | |-------|------| | Gitea (and GitHub when used as forge) | Durable issues/PRs/comments/reviews/labels | | Control-plane DB / allocator | Sessions, assignment, leases, coordination | | MCP capability gates | Mutation authorization | | Web Console | Projection + gated, audited privileged actions | | Sentry/GlitchTip | Observe; bridge creates durable Gitea work | | Canonical handoffs | Stage continuation (#626/#628) | **Console never invents policy and never bypasses gates.** ## Non-goals (product-level) * Public internet deployment without access controls * Replacing Gitea as system of record * Ungated browser approve/merge/close * Manual host process killing as recovery * Treating raw monitoring incidents as allocator work items * Storing provider secrets in the browser or git ## Scope-change log | Date | Actor | Change | Rationale | |------|-------|--------|-----------| | 2026-07-10 | author intake (jcwalker3 / prgs-author) | Vision issue created | Preserve complete product concept separate from phase sequencing | *(Append only; removals require controller approval entry.)* ## Implementation linkage * **Do not implement features on this issue.** * Sequencing: roadmap issue + #631 children. * First batch (already exists): #632–#641 Phase 1 implementation issues. * Later batches: #642–#651 and future issues created from the **Preserved but not yet scheduled** roadmap section. ## Acceptance criteria (for this vision record) 1. Complete capability areas A–O are listed here. 2. Governance rules above are explicit. 3. Roadmap and implementation issues link here. 4. Deferred ideas remain visible until converted or controller-rejected here. 5. No phase table on this issue is allowed to delete capabilities (phases live on roadmap). ## Canonical issue state ```text STATE: vision-active WHO_IS_NEXT: controller (triage/ordering) / author (implementation of linked children only) NEXT_ACTION: Use roadmap for sequencing; implement via child issues; update this issue only for vision changes ```
Author
Owner

Canonical Issue State

STATE:
vision-active

WHO_IS_NEXT:
controller

NEXT_ACTION:
Approve vision as enduring scope SoT; do not implement features here; sequence delivery via #653; authors implement only linked children

NEXT_PROMPT:

You are the CONTROLLER for Scaled-Tech-Consulting/Gitea-Tools on prgs.
Read #652 (canonical Web Console vision). Confirm phases on #653 do not delete vision items.
Any scope removal must be appended to #652 scope-change log with rationale.
Author next work is Phase 1 starting at #632 (architecture), then #633, then #634–#641.
Do not close #652 when implementation children close.

WHAT_HAPPENED:
Created canonical vision #652. Created roadmap #653. Retained existing implementation issues #632–#651 without recreation. Linked foundation #425–#436 and coordination issues.

WHY:
Preserve complete product concept; phases sequence only.

RELATED_ISSUES:
#653 roadmap; #631 umbrella; #632–#651 implementation; #425–#436 MVP; #628 #626 #630 #605–#607 #610 #600 #613

RELATED_PRS:
none

BLOCKERS:
none

VALIDATION:
#631 is not a full vision record; #652 is SoT for product vision; Phase 1 batch already open

LAST_UPDATED_BY:
jcwalker3 / prgs-author / author / 2026-07-10

## Canonical Issue State STATE: vision-active WHO_IS_NEXT: controller NEXT_ACTION: Approve vision as enduring scope SoT; do not implement features here; sequence delivery via #653; authors implement only linked children NEXT_PROMPT: ```text You are the CONTROLLER for Scaled-Tech-Consulting/Gitea-Tools on prgs. Read #652 (canonical Web Console vision). Confirm phases on #653 do not delete vision items. Any scope removal must be appended to #652 scope-change log with rationale. Author next work is Phase 1 starting at #632 (architecture), then #633, then #634–#641. Do not close #652 when implementation children close. ``` WHAT_HAPPENED: Created canonical vision #652. Created roadmap #653. Retained existing implementation issues #632–#651 without recreation. Linked foundation #425–#436 and coordination issues. WHY: Preserve complete product concept; phases sequence only. RELATED_ISSUES: #653 roadmap; #631 umbrella; #632–#651 implementation; #425–#436 MVP; #628 #626 #630 #605–#607 #610 #600 #613 RELATED_PRS: none BLOCKERS: none VALIDATION: #631 is not a full vision record; #652 is SoT for product vision; Phase 1 batch already open LAST_UPDATED_BY: jcwalker3 / prgs-author / author / 2026-07-10
Author
Owner

Canonical Issue State

STATE:
vision-active

WHO_IS_NEXT:
controller

NEXT_ACTION:
Acknowledge restart governance #655–#669 as vision-backed; preserve #668 HA even if deferred; do not treat closing console Phase 1 as completing restart safety

NEXT_PROMPT:

You are the CONTROLLER for Scaled-Tech-Consulting/Gitea-Tools on remote prgs.
Canonical vision is #652. Restart governance umbrella is #655 with children #656 through #669.
Confirm these remain in product vision: coordinated restart, drain, checkpoints, break-glass, post-restart reconcile, HA design.
Do not remove them when only web console Phase 1 ships. Sequence authors via #653 and #655 comment 10210.
Related complementary issues: #630 (pkill contamination), #642 (console restart UI extended by #667).

WHAT_HAPPENED:
Linked governed MCP restart program #655–#669 into product vision #652.

WHY:
Zero-disruption recovery is core vision capability, not disposable ops work.

RELATED_ISSUES:
#655 #656 #657 #658 #659 #660 #661 #662 #663 #664 #665 #666 #667 #668 #669 #653 #630 #642

RELATED_PRS:
none

BLOCKERS:
none

VALIDATION:
planning intake only; no implementation

LAST_UPDATED_BY:
jcwalker3 / prgs-author / author / 2026-07-10

## Canonical Issue State STATE: vision-active WHO_IS_NEXT: controller NEXT_ACTION: Acknowledge restart governance #655–#669 as vision-backed; preserve #668 HA even if deferred; do not treat closing console Phase 1 as completing restart safety NEXT_PROMPT: ```text You are the CONTROLLER for Scaled-Tech-Consulting/Gitea-Tools on remote prgs. Canonical vision is #652. Restart governance umbrella is #655 with children #656 through #669. Confirm these remain in product vision: coordinated restart, drain, checkpoints, break-glass, post-restart reconcile, HA design. Do not remove them when only web console Phase 1 ships. Sequence authors via #653 and #655 comment 10210. Related complementary issues: #630 (pkill contamination), #642 (console restart UI extended by #667). ``` WHAT_HAPPENED: Linked governed MCP restart program #655–#669 into product vision #652. WHY: Zero-disruption recovery is core vision capability, not disposable ops work. RELATED_ISSUES: #655 #656 #657 #658 #659 #660 #661 #662 #663 #664 #665 #666 #667 #668 #669 #653 #630 #642 RELATED_PRS: none BLOCKERS: none VALIDATION: planning intake only; no implementation LAST_UPDATED_BY: jcwalker3 / prgs-author / author / 2026-07-10
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#652